Sunday, September 5, 2010

Windows 64-bit Rootkits

Sans kindly provided three URLs on Rootkits in-the wild that use the MBR to do their dastardly deed. It doesn't end there. For the first time, Microsoft Windows 64-bit which heretofore was not vulnerable is now vulnerable (2010-08-30). Here are the URLs (I shortened them using TinyURL in preview mode so you can see where you are going):

http://preview.tinyurl.com/3x3lj44
http://preview.tinyurl.com/24llsax
http://preview.tinyurl.com/2bv5pwc

The last URL gave the impression that nothing can be done. To me that is unethical. If you have BIOS protection for the MBR, something can be done. To go into the BIOS on AMD machines, repeatedly tap the Del button right after power-up but before the boot starts. For Intel powered machines, you use the F2 function key button. Turning off the BIOS splash screen helps since then you can see when you need to do it. Once you get into the BIOS, you can usually find the MBR protection in the Advanced menu if it is an available option. I have saw too much falderal about this making changes to the disk itself. It doesn't alter your disks. It just makes it impossible to write to the MBR for the hard disks you can boot from. It is the BIOS itself that prevents it from happening, not the disks. There are three cases where you will probably need to turn off the MBR write protection but only for a very short time span.

1. When installing an additional OS (adding Linux to Windows for example)
2. When upgrading an existing OS.
3. When upgrading the BIOS.

After you have made your changes, if you have turned the MBR write protection off be sure to turn the MBR write protection back on.  It is very easy to slip up and forget to do it.  If you use a check list, write the turn off and then turn back on into the check list.

There is nothing to prevent hackers (I call them crackers) from shifting to using the PBR (Partition Boot Record) to achieve their aim. Since less than 10% of people that have MBR protection in the BIOS will ever turn the protection on and at least 1/3 of the BIOS don't even have the feature why would the hackers even bother to use the PBR? It is also not a sure deal that use of the PBR would always work properly since the PBR is meant to be a backup in case of MBR problems. Security never comes via one magic bullet. It is built on layers of protection. Hopefully you have more than one layer for each attack vector. This provides redundancy in case one of the layers fails. So if you have MBR protection as an option in your BIOS, by all means, turn it on. It is better than doing nothing and hoping for the best if this option is available to you. But don't depend on it to completely protect you.  Shifting to using Linux or a Macintosh is yet another security latyer (but not a security magic bullet) that can be used to protect yourself.  The problem is, too many Linux and Macintosh owners do see their OS as a magic bullet.  That is why I see strange things like ${HOME}/bin  and "." (the current directory / folder) first in the PATH on at least one version of Linux.  I want this order gone ASAP.  If you must have ${HOME}/bin and "." in the PATH, add them at the end with "." at the very end.  I don't even have "." at all in my PATH.  Does that tell you something?  Prepending a "./" to the binary or shell script in the current folder is not that big of a problem.  I have been doing it for 30+ years now.  That means I was doing it with Unix long before Linux was even a gleam in Linus Torvalds eyes.